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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


x] Yes 


O No 


Q2 If not, please specify where improvements could be made. 


The code speaks about “data sharing agreement”, however it would be 
better to speak about “contract” to make it clearer that this should be 
legally binding. 


On page 4: the sentence “This code covers the sharing of personal data 
between organisations which are controllers” is misleading to suggest 
that the sharing of data only takes place between controllers given the 
following sentence. 


On page 4: the sentence “You must identify at least one lawful basis for 
sharing data from the start” should be amended to “before any data 
sharing begins” to make it clearer. 


Under data sharing covered by this code on page 16, the two sentences 
“This means giving personal data to a third party, by whatever means; 
and includes when you give a third party access to personal data on or 
via your IT systems. For the purposes of this code, it does not include 
sharing data with employees, or with processors.” are confusing and 
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unclear when put together. It would be worth reiterating after “with 
processors, such as third party IT service providers.” 


There are some inconsistencies in the code regarding data processors 
that need to be addressed and specified. 

Page 17: on the list showing what data sharing could cover, does that 
include third party data controller given that the scope says it excludes 
processors? Following this, the real-life data sharing example of a 
retailer providing customer details to a payment processing company, is 
an example of data sharing with a data processor while it was said 
above that this was out of scope. 

If this is indeed out of scope then this example should be removed 
otherwise the section above needs to be amended accordingly. 

Page 19: there is a paragraph on a sharing data with a processor 
whereas it repeatedly says before that sharing data with a data 
processor is out of scope. We would also suggest to move this section 
up to the relevant scoping point. 


We would recommend that the last paragraph on page 17 is included in 
the summary for completeness. 


On the list on page 21 on the need to do a DPIA, criminal offence data 
is included in the special category data so we wonder why the code calls 
this out separately? If necessary it would be better to say, “special 
category data, such as criminal offence data”. 


On page 25, the first paragraph under “in more details” should state “it 
is good practice to have one in place 'if there is no formal contract 


aw 


already in place’. 


On page 27, it is written that “if you are using consent as a lawful basis 
for disclosure, then your agreement could provide a model consent 
form”. The sentence should be amended and say “your agreement 
SHOULD provide a model consent form” on the basis that this forms 
part of the evidence assessed in DPIA. 


On page 34, on the role of the Data Protection Officer (DPO) in a data 
sharing arrangement, in some organisations, like Marie Curie, 
information governance is separate from the DPO so it may be more 
appropriate to say “the DPO ensures compliance with data protection 
law, provides advise to staff faced with decisions about data sharing and 
work with colleagues to ensure information governance requirements 
are met” instead of “the DPO advises everyone on information 
governance...” as stated in the code. 
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On page 37, under lawful basis for sharing personal data - at a glance, 
instead of saying “beforehand”, we would suggest write “before any 
data sharing took place” 


On page 60, regarding the legal powers for private and third sector 
organisations, the sentence “if you are a private sector organisation...” 
is not clear as this also applies to third sector. Marie Curie has, for 
example, regulatory and contractual requirements for compliance with 
NHS DSPT, Gambling Commission RTS, PCI DSS. 


The section “data sharing in an urgent situation or in an emergency” 
should be put further forward in the code to emphasis its importance 
and that data protection is not a blocker. 

It also needs to acknowledge the ‘smaller’ emergencies and give 
examples, e.g. a vulnerable child is at risk out of hours and local 
authority needs to share info with charity than can assist. 


Q3 Does the draft code cover the right issues about data sharing? 


x] Yes 


O No 


Q4 If no, what other issues would you like to be covered in it? 


On page 26 regarding the benefits of a data sharing agreement, it says 
that drafting and adhering to an agreement does not in itself provide 
the parties with any form of legal indemnity from action under the data 
protection legislation or other law. This is a really important point that 
needs to be made in the summary at the beginning of the code so that 
people understand the options and risks of doing a data sharing 
agreement rather than a formal contract. Whilst the latter doesn't 
provide indemnity from action either, it does address who is at fault and 
rectification, indemnities, etc. 


The section on due diligence when sharing data following mergers and 
acquisitions should include a statement that makes it clear that if there 
is mergers and acquisitions and later it is found that the acquired 
company had a data breach, it is the acquiring company that is liable. It 
would also be good to provide an example, such as Talk Talk. 


Q5 Does the draft code contain the right level of detail? 
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O Yes 


X No 


Q6 Ifno, in what areas should there be more detail within the draft 
code? 


On page 13, the section about sharing data with people’s consent does 
not mention the specifics of sharing data without people’s consent, 
which would be highly relevant for the code to comment on. This section 
should specifically reference that “there are other legal basis, one of 
which involves carrying out a legitimate interests assessment”. 


On the same page, having an example on the possibility of sharing data 
in an emergency would be useful, e.g. such as a vulnerable child's 
safety being at risk if the information is not shared. 


Regarding the examples the code provides under “the benefits of data 
sharing” (page 13), they are all related to patients, health and social 
care. Whilst this is very relevant for us, the code should provide some 
examples for other sectors as alluded to in the introductory summary. 
The next section has a good example for inclusion that will apply to 
many organisations on third party IT service providers that can 
remotely access an organisation's systems to provide support. 


On page 29 under the paragraph on when to review a data sharing 
agreement, it says that it should be reviewed on a regular basis. What 
does regular mean? Is there a recommendation of no less than once per 
year or is it up to each organisation? For instance, could one determine 
that 'regular' means every 5 years? 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


x] No 


Q8 ___siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 
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The draft code presents the data protection principles but does not 
cover some important areas of fundraising, for instance the possibilities 
to fundraise on social media or using Facebook ads which are not GDPR 
compliant. It would be useful if the code could address these data 
protection issues as it is relatively hard to remain competitive while 
ensuring GDPR is respected. 


In addition, a case study related to the deep mind sharing should also 
be included as an example of healthcare working with Google and other 
AI companies. Related to this, the code should address data sharing 
that occurs with the use of Alexa. 


The code should also present cases of data sharing of charities working 
with health and social care where the same lawful basis doesn't apply. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


O Yes 


xX] No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


The flow of the document isn't always particularly helpful. 

As stated above, data sharing in an urgent situation or in an emergency 
should be put further forward in the document to emphasis its 
importance and that data protection is not a blocker. It also needs to 
acknowledge the 'smaller' emergencies and give examples, e.g. a 
vulnerable child is at risk out of hours and local authority needs to share 
info with charity than can assist. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


O Yes 


x No 
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Q1i2__siIf no, in what way does the draft code fail to strike this balance? 


For a charity like Marie Curie, it is not commercially viable not to use 
social media marketing due to data protection laws. For instance, Marie 
Curie does not use Facebook ads to look for new donors as Facebook 
does not respect data protection law. However, by respecting the data 
protection law, this puts the charity at a clear disadvantage against 
other charities that do use those ads or other means to reach out to 
more people on social media. The code should address those challenges 
recognising that charitable work depends on fundraising activities on 
social media. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


K Yes 


O No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


The draft code could add a reference section or appendix directing 
people to approved sources of industry sector and specific guidance, 
such as NHS Information Governance Alliance and NHS Secondary Use 
Data Governance Tool at https://data.england.nhs.uk/sudgt/ , the 
Direct Marketing Association’s Code https://dma.org.uk/the-dma-code, 
Fundraising Regulator Code, section 5 
https://www.fundraisingregulator.org.uk/code/personal-information 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 


O 

X Agree 
L] Neither agree nor disagree 
O 


Disagree 
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Q1i6 Are you answering as: 


QO An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 


X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


Marie Curie 


Thank you for taking the time to share your views and experience. 


